SSH login takes very long time...sometimes

Atanas atanas at asd.aplus.net
Fri Feb 17 13:34:09 PST 2006


Mike Tancsa said the following on 02/17/06 11:50:
> At 09:17 PM 16/02/2006, Atanas wrote:
> 
>> Does anybody know whether ipfw (or something else within FreeBSD-4) is 
>> capable of setting connection rate limits?
> 
> Why not just launch sshd out of inetd ?
> 
Primarily because of the big scare sign in the sshd man page:

  -i   Specifies that sshd is being run from inetd(8).  sshd is normally
       not run from inetd because it needs to generate the server key
       before it can respond to the client, and this may take tens of
                                                              ^^^^^^^
       seconds.  Clients would have to wait too long if the key was
       ^^^^^^^
       regenerated every time.  However, with small key sizes (e.g.,
       512) using sshd from inetd may be feasible.

It was my fault not verifying how much time it really takes. I just 
tested it on a couple of machines, and it seems to be way faster:

   # time ssh blah at 6-STABLE-2048-bit-inetd

   real    0m0.669s
   user    0m0.012s
   sys     0m0.000s

   # time ssh blah at 5-STABLE-1024-bit-inetd

   real    0m0.374s
   user    0m0.000s
   sys     0m0.008s

   # time ssh blah at 5-STABLE-1024-bit-daemon

   real    0m0.348s
   user    0m0.000s
   sys     0m0.008s


I ran this multiple times. The first one defaults to 2048-bit key (a 
6-STABLE based box), the second one - to 1048 bit (5.4), the third one 
to a standalone ssh daemon.

So what the man page says about the timings could have been true some 10 
years ago, but not now.

> Start up inetd with -wWl -C 5
> 
> In inetd.conf
> ssh     stream  tcp     nowait  root  /usr/sbin/sshd /usr/sbin/sshd -i
> 
> This will allow 5 connections per min from a single IP.
> 
Yeah, I still use it to run (pro)ftpd, and never had problems with that. 
It's possible to specify also per entry limits, like:

ftp  stream  tcp  nowait/100/60/10  root  /usr/libexec/ftpd  ftpd -l
ssh  stream  tcp  nowait/50/10/5    root  /usr/sbin/sshd     sshd -i

50/10/5 = max-children/max-conn-per-ip-per-minute/max-child-per-ip

Regards,
Atanas


More information about the freebsd-stable mailing list